Comments attributed to well-known security researcher and consultant Bruce Schneier, which were reported upon in CNET coverage of Infosecurity Europe 2007, were either misconstrued, naive, purposefully provocative or taken out of context -- or some combination of all these. Regardless, they raise or hint at important questions.
Schneier is quoted and paraphrased to the effect that products should be secure when they ship, and therefore there should be no need for a security industry. We agree, of course, that products should be secure when they are sold. What the comments -- at least those included in the story -- don't address is how to handle core problems that emerge after the products leave the vendor's facility.
Any product released into the field will be attacked. In most cases, insecurities that are found can be addressed by patches, new virus definitions and other routine downloads.
There are, however, cases in which the problems will be more fundamental. The story doesn't tackle this, and the quotes attributed to Schneier are a bit vague. His point seems to be that products should be constructed so that remediative steps can be taken from within the product itself, and that a separate security software industry shouldn't be necessary.
There are a couple of problems with this.
We acknowledge to his and other experts' opinion if they say that constructing software differently would make it easier to fight new threats from within. However, saying that separate security software shouldn't be necessary isn't the same as saying that a separate group of companies shouldn't exist to develop and deploy those changes. In other words, if Schneier's point is that that the tools to respond to crackers' initiatives should be available within the software, he should say that.
The other point even is more basic. It is impossible to foresee precisely what the bad guys will dream up, and it can't be assumed that everything that crops up can be handled within the framework of a piece of existing software. Thus, a high level of security expertise must always be available. For larger companies, this could involve having security experts on staff. For example, Schneier's own Counterpane security was bought by BT last year. For smaller organizations, however, outside companies such as today's vendors or security service providers likely still will be necessary.
The story hints at interesting questions related to the ways in which software is written and the relationship between companies and the folks who write the software. This issue currently is in play as Microsoft seeks to keep security vendors from accessing the kernel of the 64-bit version of Vista, its new operating system.
How this plays out is important. The key question is whether it is fair for Microsoft's own security business, OneCare, to have access to the kernel that other security vendors do not. From the technical point of view, the relationship between outside companies and Vista's kernel -- and the precedents set by the level of access that eventually is allowed -- speaks to the broader issue of what role discreet security vendors will play in the future.